What is Risk Management?

Welcome to the second post in our Guide to Risk. If you’ve not read it yet, do look at our first post What is Risk?

Now we know what Risk is for our organisation, we can move on to Risk Management. We’ll run through the main themes, and review government guidance and standards, so you can draw inspiration, or select one to comply with, and create the right Risk Management at your organisation.

What is Risk Management?

While there is no global ‘Risk Law’ that applies to every organisation, telling it what risk is, what risk management looks like, and what to do about risk, there’s a LOT of guidance and standards on Risk Management out there, plus a coalescence around a set of common themes and practices.

It’s your ‘Management System’ for risk

Risk Management is everything you do to identify, address and manage risk at your organisation as part of your risk governance program, from the people in charge, your risk management principles, your framework, to your policies and procedures, your audits, your training, the lot.

ISO’s standard on Risk Management, ISO 31000, defines Risk Management as ‘coordinated activities to direct and control an organization with regard to risk‘.

If you work in Security or Privacy and you think this all sounds a lot like a ‘management system’ (as in ISMS and PIMS), you’re correct. And just as your ISMS or PIMS varies from organisation to organisation, based on factors such as industry, size, customer base etc, so will your Risk Management.

Applicable laws and regulations

Your organisation will be subject to laws, regulations and perhaps industry codes that require you to look at particular risks in a particular way. These may be:

• general or ‘horizontal’ laws, such as GDPR on data protection risk to individuals or the Health & Safety laws (though there aren’t too many of this type of horizontal law), or
• domain-specific or ‘vertical’ laws, for example if you’re regulated as a Finance or Healthcare organisation, or you sell toys or medical devices, or you fall under the EU AI Act or the various NIS Directive national laws.

You’ll also have contractual obligations to manage, for example on confidential information, and other drivers for establishing the right Risk Management for your organisation.

Different strategies

We’re focussed on practical Risk Management for the vast majority of organisations and circumstances, implemented in an achievable Risk Management Framework (RMF). There are other ways to look at risk, and other risk management strategies, that might be relevant based on your organisation and your circumstances.

For example, ISACA’s guide to risk management is a good introduction to the appropriateness of different strategies, including quantitative and qualitative. You’ll want to review the alternatives to ensure you choose the appropriate method(s) for your organisation.

We’ll crack on, assuming you’re in the majority or organisations, and the lessons in these posts will also help if you do decide to go down another route. So let’s look at some of the top Guidance on Risk Management, starting with the UK government’s famous ‘Orange Book’.

The UK Gov’s ‘Orange Book’

The UK Government’s Orange Book (May 2023, subtitle: ‘Management of Risk – Principles and Concepts‘) is an excellent guide to Risk Management, and takes you through each aspect as the UK government sees it. We highly recommend it.

The Orange Book’s Risk Management Framework

The Orange Book sets out a Risk Management Framework and states that, ‘[f]or the risk management framework to be considered effective, the following principles shall be applied:

A   Risk management shall be an essential part of governance and leadership, and fundamental to how the organisation is directed, managed and controlled at all levels.

B   Risk management shall be an integral part of all organisational activities to support decision-making in achieving objectives.

C   Risk management shall be collaborative and informed by the best available information and expertise.’

The Orange Book has an excellent summary diagram of its Risk Management Framework, with the above three principles (A to C) in the outer circles:

It is so important to have Risk Management owned and driven from the Board down, for it to be given the priority it needs to enable that collaboration and prioritisation through the organisation. And you can see the continual improvement cycle at work in the diagram.

Again, the vision set out in this wording will be very familiar to practitioners who’ve reviewed or implemented standards such as ISO 27001.

The Orange Book’s 4 Core Activities

The four core activities, or processes, in the centre of the Orange Book’s diagram, are the main risk management processes:

1. ‘risk identification and assessment to determine and prioritise how the risks should be managed’
2. ‘the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level’
3. ‘the design and operation of integrated, insightful and informative risk monitoring‘ and
4. ‘timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities’

Point to note

It’s easy to confuse these core activities and equate them with Risk Management itself, instead of seeing them as core activities at the heart of Risk Management. For example, they’re at the heart of ISO 31000, as we’ll see now.

ISO

The ISO, in describing their generic standard on Risk Management ISO 31000, clearly demonstrates the comprehensiveness of the word ‘management’:

ISO 31000 is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.

This short description is excellent. It may not expressly call out the leadership and commitment elements from the standard, and your risk methodology is implied across the description, but it’s clear we’re talking about your whole risk governance process.

ISO 31000 sets out 3 interacting domains of Risk Management, which roughly correlate to the Orange Book’s concentric circles above:

1. Principles, which set the tone and aims of your entire governance,
2. Framework, which is based on the famous Plan, Do, Check, Act steps of program implementation and continuous improvement, and
3. Process, which is what most practitioners will be applying in their daily roles. And it’s here that Risk Assessment lives.

The standard gives the following diagram of Process, which closely correlates to the four core processes in the Orange Book:

ISACA

ISACA ‘is a global professional association and learning organization with 185,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. With a presence in 188 countries and with 225 chapters worldwide, ISACA is recognized around the world for its guidance, credentials, education, training and community.‘

ISACA’s publication Risk Assessment and Analysis Methods: Qualitative and Quantitative identifies seven processes, visualised as follows:

Those seven main processes are:

1. ‘Determine the risk context and scope, then design the risk management strategy.
2. Choose the responsible and related partners, identify the risk and prepare the risk registers.
3. Perform qualitative risk analysis and select the risk that needs detailed analysis.
4. Perform quantitative risk analysis on the selected risk.
5. Plan the responses and determine controls for the risk that falls outside the risk appetite.
6. Implement risk responses and chosen controls.
7. Monitor risk improvements and residual risk.’

You can see that these seven processes track the Orange Book’s RMF and ISO 31000. They also lead us to consider the next three key aspects for Risk practitioners, that we’ll look at in our next posts:

• Risk Methodology – how you’re actually going to do each of these,
• Risk Appetite – you’re organisation’s view on what level of risk is unacceptable, acceptable if treated, acceptable straight away, etc, and
• Risk Evaluation – you can’t do everything, so you’ll take a risk-based approach looking more closely at the highest, most critical, most urgent risks first and working your way down

Security & Privacy & AI

This is a long post, so thank you for keeping with us!

This is a guide to Risk generally, not specific to our three main risk domains, but, happily, the approach to Risk Management in each of our three main risk domains is mostly identical to the above.

This is unsurprising, as 27001 is the most-adopted of ISO standards and 31000 is highly influential, plus the first principles take you to the exact same place no matter your risk domain.

Security & Privacy

As an example, let’s look at the Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, published by the USA’s National Institute of Standards and Technology, or NIST. As NIST states:

The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.

The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. …

In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.

ISO standards like to refer to ‘management systems’ for the specific area. So the ISO 27000 family of standards provides a way to build your Information Security Management System, or ISMS.

And the term PIMS (for Privacy Information Management System) is gaining traction through the British standard BS10012 and the ISO standard ISO 27701 (currently the Privacy add-on for 27001), and other standards.

Be a bit aware, PIMS can still mean different things to different people, such as the EDPS.

AI

AI is an area where we’re bombarded with guidance and standards, such as:

• The UK ICO has published an AI and Data Protection Toolkit, ‘to provide further practical support to organisations to reduce the risks to individuals’ rights and freedoms caused by their own AI systems‘, with 32 risk statements to consider, focussed on data protection.
• The UK Government, amongst other actions, has published an Introduction to AI Assurance, is working on an AI Management Essentials Tool and finished consulting on that in January 2025, has published Safety and security risks of generative artificial intelligence to 2025 with risks and threats,
• The Dutch government released and iterated its AI Impact Assessment (more than risk) in 2024.
• NIST released its iterated AI Risk Management Framework in 2023, and it’s consistent with NIST’s ‘Govern, Map, Measure, Manage’ continual improvement paradigm.
• ISO has several standards, including ISO 23894 on AI risk management, which leans heavily on the generalised approach set out in ISO 31000, and ISO 42001 on AI Management more generally, all consistent with the ISO’s favoured ‘Plan, Do, Check, Act’ paradigm for continual improvement.

It’s a case of reviewing your current RMF, the guidance and standards out there, and building on your existing expertise and awareness as you expand to integrate and cover AI in the most appropriate way for your organisation.

Assessments & Risk in Keepabl

Book your demo to see how Keepabl makes your Assessments super smooth and lets you implement your risk management process, tailored to your methodology.